CVE-2022-24869 (GCVE-0-2022-24869)
Vulnerability from cvelistv5
Published
2022-04-21 17:00
Modified
2025-04-23 18:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Version: >= 0.90, < 10.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:08:04.098529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:32:52.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.90, \u003c 10.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket\u0027s followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T17:00:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.0"
}
],
"source": {
"advisory": "GHSA-p94c-8qp5-gfpx",
"discovery": "UNKNOWN"
},
"title": "Cross Site Scripting in GLPI",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24869",
"STATE": "PUBLIC",
"TITLE": "Cross Site Scripting in GLPI"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "glpi",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.90, \u003c 10.0.0"
}
]
}
}
]
},
"vendor_name": "glpi-project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket\u0027s followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx",
"refsource": "CONFIRM",
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx"
},
{
"name": "https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e",
"refsource": "MISC",
"url": "https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e"
},
{
"name": "https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20",
"refsource": "MISC",
"url": "https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.0",
"refsource": "MISC",
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.0"
}
]
},
"source": {
"advisory": "GHSA-p94c-8qp5-gfpx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24869",
"datePublished": "2022-04-21T17:00:16.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:32:52.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-24869\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-04-21T17:15:08.997\",\"lastModified\":\"2024-11-21T06:51:17.210\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket\u0027s followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.\"},{\"lang\":\"es\",\"value\":\"GLPI es un paquete de software gratuito de administraci\u00f3n de activos y TI, que proporciona funciones de Service Desk de ITIL, seguimiento de licencias y auditor\u00eda de software. En versiones anteriores a 10.0.0 pueden usarse los seguimientos de los tickets o configurar los mensajes de inicio de sesi\u00f3n con un enlace de hoja de estilo. Esto puede permitir un vector de ataque de tipo cross site scripting. Este problema est\u00e1 parcialmente mitigado por la seguridad de los navegadores, aunque Es recomendado a usuarios actualizar\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"0.90\",\"matchCriteriaId\":\"A26E2D12-D955-4CE7-8B1A-FBACD177FB56\"}]}]}],\"references\":[{\"url\":\"https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/releases/tag/10.0.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/releases/tag/10.0.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"affected\": [{\"product\": \"glpi\", \"vendor\": \"glpi-project\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.90, \u003c 10.0.0\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket\u0027s followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 4.6, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\", \"version\": \"3.1\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-04-21T17:00:16.000Z\", \"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\"}, \"references\": [{\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/glpi-project/glpi/releases/tag/10.0.0\"}], \"source\": {\"advisory\": \"GHSA-p94c-8qp5-gfpx\", \"discovery\": \"UNKNOWN\"}, \"title\": \"Cross Site Scripting in GLPI\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security-advisories@github.com\", \"ID\": \"CVE-2022-24869\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Cross Site Scripting in GLPI\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"glpi\", \"version\": {\"version_data\": [{\"version_value\": \"\u003e= 0.90, \u003c 10.0.0\"}]}}]}, \"vendor_name\": \"glpi-project\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket\u0027s followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 4.6, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\", \"version\": \"3.1\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx\", \"refsource\": \"CONFIRM\", \"url\": \"https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx\"}, {\"name\": \"https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e\", \"refsource\": \"MISC\", \"url\": \"https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e\"}, {\"name\": \"https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20\", \"refsource\": \"MISC\", \"url\": \"https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20\"}, {\"name\": \"https://github.com/glpi-project/glpi/releases/tag/10.0.0\", \"refsource\": \"MISC\", \"url\": \"https://github.com/glpi-project/glpi/releases/tag/10.0.0\"}]}, \"source\": {\"advisory\": \"GHSA-p94c-8qp5-gfpx\", \"discovery\": \"UNKNOWN\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:29:00.206Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/glpi-project/glpi/releases/tag/10.0.0\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24869\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T14:08:04.098529Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T14:08:05.543Z\"}}]}",
"cveMetadata": "{\"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"cveId\": \"CVE-2022-24869\", \"datePublished\": \"2022-04-21T17:00:16.000Z\", \"dateReserved\": \"2022-02-10T00:00:00.000Z\", \"dateUpdated\": \"2025-04-23T18:32:52.595Z\", \"state\": \"PUBLISHED\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…